JP2016054430A - Data concealment/restoration device, method and program, data concealment/restoration system, and document creation device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a data concealment/restoration device which allows for transmission/reception and storage and use by a third party of the data including information, that use wants to conceal, in safe state.SOLUTION: A data concealment/restoration device 4 of user terminals 7A, B identifies a data position to be concealed on a screen where data d is inputted by a concealment policy 21, specifies a value to be concealed by a concealment dictionary 22, and generates safety data d' by encrypting each value thus identified by an encryption key k distributed from an encryption key distribution device 3, before being transmitted to a data storage device 2. The data storage device 2 stores the safety data d' thus received, and transmits the safety data d' including the search results to the user terminals 7A, B in response to a search request. The data concealment/restoration devices 4A, B detect and decrypts a value encrypted from the safety data d' including the search results thus received, and generate the data d, i.e., the decrypted search results. A third party terminal 8 can use only the information. that is not concealed, out of the information stored in the data storage device 2.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a technique for concealing and restoring a part of data.

  Currently, it is common for a plurality of users to store data in a data storage server (hereinafter simply referred to as “server”) provided in the system using a single system. Here, the system is composed of a user-side computer (client) and a server-side computer for storing data, and both are connected via a network, and in particular, connected via various networks including the Internet. Including cloud systems.

  In a system used by multiple users, when it is desired to protect the data stored on the server from a third party, setting of user rights for data access and use and data concealment are generally performed. ing. Here, the concealment of data means that the data is expressed in a way that cannot be read by a third party.

  As a conventional technique for maintaining the confidentiality of data, for example, a part of keyword included in document data or accompanying information that is registered in advance as information that is not permitted to be viewed by outsiders is encrypted. A method of saving is known.

JP 2009-76009 A

  When data is protected by concealment, encryption processing using an encryption key is generally used. However, if the encryption key is stored on the server side where the data is stored, it becomes easy for a third party to obtain the encryption key and the encrypted data and make it correspond. The risk of leaking information that you want to occur increases.

  Also, if the encryption key is stored in each user's computer, the encryption key may be leaked to a third party due to loss of the computer itself, data extraction from the computer, etc. There is a danger that it becomes impossible to use.

  In addition, if the encryption key is stored on the user's computer, when the information stored on the server is output as a form, the form cannot be created from the encrypted information stored on the server. There is a problem.

  The present invention includes data input by a plurality of users when the data input by the user's computer is stored in a predetermined server via a network also used by a third party such as the Internet. As a mechanism that can be sent to and stored in the server in a safe state (concealed information), and can create a form from the concealed information stored in the server, An object is to provide a data concealment / restoration device, a data concealment / data restoration method, a data concealment / data restoration program, a data concealment / restoration system, and a form creation device.

  A data concealment / restoration device disclosed as an aspect of the present invention includes a concealment control information storage unit that stores concealment control information that specifies a concealment value among values included in information in association with a screen name. A transmission analysis unit that receives input information including a screen name and a value input on the screen, and selects concealment control information corresponding to the screen name in which the input information is input from the concealment control information storage unit; Based on the selected concealment control information, a predetermined encryption is performed for each concealment value included in the input information, and the input information is concealed with a concealment value including the encryption result of the encryption A data concealing unit for generating the secure input data with the value replaced, and transmitting the secure input data to a predetermined information processing device, and processing result information for the secure input data from the information processing device and concealing A data communication unit for receiving the safety result data including the value, a reception analysis unit for detecting the concealed value from the safety result data, and a concealment detected from the safety result data Performs decryption corresponding to the predetermined encryption for each value, replaces the concealed value of the security result data with the decrypted value, generates decrypted process result information, and decrypts the processed result A data decoding unit for outputting information.

  Further, in the data concealment method disclosed as another aspect of the present invention, the computer accepts input information including a screen name and a value input on the screen, and associates the value included in the information with the screen name. Among the concealment control information storage unit for storing concealment control information for specifying a concealment value, select concealment control information corresponding to the screen name to which the input information is input, and the selected concealment control information A secure input in which predetermined encryption is performed for each value to be concealed included in the input information based on and the concealed value of the input information is replaced with a concealed value including the encryption result of the encryption The processing step of generating data and transmitting the safety input data to a predetermined information processing apparatus is executed.

  According to another aspect of the present invention, there is provided a data restoration method in which a computer includes a concealment in which a value included in input information includes a value at the time of input or a value of an encryption result obtained by performing predetermined encryption. From the information processing device that stores the stored information that is the stored value, the safety information data of the stored information is received as the processing result of the information processing device, and the concealed value is detected from the safety result data, Perform decryption corresponding to the predetermined encryption for each concealed value detected from the security result data, and replace the concealed value of the safety result data with the decrypted value The process step of generating the completed process result information and outputting the decrypted process result information is executed.

  A data concealment program disclosed as another aspect of the present invention causes a computer to execute processing steps realized by the data concealment method described above.

  A data restoration program disclosed as another aspect of the present invention causes a computer to execute processing steps realized by the above-described data restoration method.

  In addition, a data concealment / restoration system disclosed as another aspect of the present invention includes a user terminal used by a user, a data storage apparatus that stores input information transmitted from the user terminal, and an encryption key distribution apparatus. To connect.

  The data storage device included in the data concealment / restoration system is information concealed that includes information received from the user terminal, and an included value includes a value at the time of input or a value of an encryption result obtained by performing predetermined encryption. A safe data storage unit that stores the stored information that is a value, and the stored information extracted from the safety data storage unit based on the input information received from the user terminal is transmitted to the user terminal as the safety result data A data processing unit.

  Further, the user terminal provided in the data concealment / restoration system includes a concealment control information storage unit that stores concealment control information that specifies a concealment value among values included in the information in association with a screen name, and a screen The data input / output device that accepts the input of the value and displays the processing result information transmitted from the data storage device on the screen, and the encryption key acquisition that acquires the encryption key from the encryption key distribution device Control information corresponding to the screen name to which the input information is received from the concealment control information storage unit, and the input information including the screen name and the value input on the screen is received from the data input / output device. A transmission analysis unit that selects the encryption key, and performs encryption using the encryption key for each value to be concealed included in the input information based on the selected concealment control information. A data concealment unit that generates secure input data in which the concealment value of the input information is replaced with a concealment value, and the secure input data is transmitted to a predetermined information processing device. A data communication unit that receives the safety result data, a reception analysis unit that detects the concealed value from the safety result data, and for each concealed value detected from the safety result data Performing decryption using an encryption key, replacing the concealed value of the security result data with the decrypted value to generate decrypted process result information, and storing the decrypted process result information in the data input A data decryption unit that outputs to the output device; and an encryption key deletion unit that receives the notification of the end of processing from the data input / output device and deletes the encryption key.

  Further, the encryption key distribution device provided in the data concealment / restoration system includes a storage unit that stores correspondence information between a user who inputs data at the data input / output device and an encryption key to be distributed, and the correspondence information. And an encryption key distribution unit that transmits an encryption key corresponding to the user to the user terminal.

  A form creation device disclosed as another aspect of the present invention is a form creation device that outputs a form using form information stored in an information processing apparatus connected via a network, and forms a form including a form name. Sends an instruction to the information processing apparatus, and stores the safety data of the form information in which the included value is a concealed value including a value at the time of input or a value of an encryption result obtained by performing predetermined encryption A form data acquisition unit that receives safety data of form information corresponding to the form creation instruction from the information processing apparatus, and the predetermined encryption for each concealed value detected from the safety result data A data decryption unit that performs corresponding decryption and replaces the concealed value of the safety data of the form information with the decrypted value to generate decrypted form information, and a form format corresponding to the form name are described. A form format acquisition unit for acquiring a form format corresponding to the form name included in the form creation instruction from the information processing apparatus, and form data creation for creating a form based on the decrypted form information and the form format A part.

  According to the above-described means of the data concealment / restoration device disclosed in the present application, a part of data input by the user at the user terminal is transmitted to a predetermined information processing device in a concealed state, and the information processing device receives The stored data can be stored in a state having a concealed portion and a non-confidential portion, or can be used for data processing. In particular, the data stored in the information processing apparatus can be used by a third party in a state including a concealed portion.

It is a figure for outlining the principle of the data concealment / restoration system to disclose. It is a figure which shows the functional block structural example of each apparatus which comprises the data concealment / decompression | restoration system in one Example. It is a figure which shows the block structural example of an encryption key distribution apparatus. It is a figure which shows the data structure example of a concealment policy. It is a figure which shows the data structure example of a secret dictionary. It is a figure which shows the example of a data structure of an authentication information storage part. It is a figure which shows the example of a data structure of an encryption key memory | storage part. It is a figure which shows the example of the data d. It is a figure which shows the example of the safety data d '. It is a figure which shows the example of a form parameter. It is a figure which shows the example of form data. It is a processing flow figure of encryption key acquisition processing. It is a processing flowchart of an encryption key distribution process. It is a processing flow figure of the concealment process of the data containing registration information or search conditions. It is a processing flow figure of a decoding process of the data received from the data storage device (server). It is a processing flowchart of encryption key deletion processing. It is a processing flow figure of the form output process of the data which a data storage device (server) preserve | saves. It is a processing flowchart of form information search processing of a data storage device (server). It is a processing flow figure of a decoding process of the safety data (form information) received from the data storage device (server). It is a processing flowchart of a form creation process of the form creation apparatus. It is a figure which shows the functional block structural example of each apparatus which comprises the data concealment / decompression | restoration system in another Example. It is a processing flow figure of the form information search process of the data storage device (server) in another Example. It is a processing flow figure of the decoding process of the safety data (form information) received from the data storage device (server) in another Example. It is a figure which shows the example of a data structure of the corresponding information when a data concealment / decompression | restoration apparatus performs a tokenization process. It is a figure which shows an example of the hardware constitutions of each apparatus of a data concealment / restoration system.

  Hereinafter, a data concealment / restoration system disclosed as an embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 is a diagram for explaining the principle of the disclosed data concealment / restoration system.

  The disclosed data concealment / restoration system (hereinafter simply referred to as “system”) 1 includes a data storage device (server) 2 for storing data input by a user of the system 1 and encryption of data input by the user. An encryption key distribution device 3 that distributes the encryption key to be used, a data concealment / restoration device 4 that conceals and restores data stored in the server 2, and a form of data stored in the server 2 A form creation device 5 is provided.

  The data concealment / restoration device 4 and the form creation device 5 are provided in a computer (user terminal) 7 used by each user of the system 1. As shown in FIG. 1, data concealment / restoration devices 4A and 4B and form creation devices 5A and 5B are provided in user terminals 7A and 7B used by users A and B, respectively.

  The data storage device (server) 2 stores the data d or the safety data d ′ received from the user terminal 7, or performs processing on the stored data according to the received data d or the safety data d ′. Information processing apparatus.

  The data d is data (input data) including a screen name on which data is input and input information including a value input on the screen, and the input information is subject to encryption processing by the data concealment / restoration device 4. Some parts are included.

  In this embodiment, the data d may indicate data (decoded processing result information) obtained by decrypting a part of the processing result information of the safety data d ′ by the data concealment / restoration device 4.

  The security data d ′ is data (processing result data) including a processing result corresponding to the input information of the data d input at the user terminal 7, and the processing result information includes decryption by the data concealment / restoration device 4. It includes a concealed portion (value) that is a target and a non-confidential portion (value) that is not a target.

  The server 2 distributes the concealment control information used in the processing of the data concealment / restoration device 4 of the user terminal 7 to the data concealment / restoration device 4 in advance.

  The concealment control information is information for specifying a value to be concealed among the values included in the input data, the concealment policy 21 indicating the position of data to be concealed for each screen or process, and concealment It is the secret dictionary 22 which shows the value of the data to convert. In FIG. 1, the concealment control information is stored in the same server as the security data. However, in order to prevent data to be concealed from being communicated in plain text due to falsification of the concealment control information, the cipher control information is the safety data. The update authority is different from the form format. Or store it on another server.

  Further, the server 2 stores a form format 23 indicating the output format of the form used by the form creation device 5 and distributes it to the form creation device 5 of the user terminal 7 in response to a request.

  Further, since the server 2 allows the third party other than the user to use the stored safety data d, the server 2 can transmit and receive data to and from the computer (third party terminal) 8 used by the third party.

  The encryption key distribution device 3 performs user authentication using login information (identification information, password, etc.) that the user received from the user terminal 7 uses to log in to the system 1 and encrypts it to the user terminal 7 of the authenticated user. Send key k.

  Based on the concealment policy 21, the data concealment / restoration device 4 encrypts a part of the data d input at the user terminal 7 using the encryption key k, and encrypts a part of the data d as a result of the encryption. And performing a concealment process for generating the secure data d ′ replaced in step 1 and a restoration process for decrypting a part of the secure data d ′ received from the server 2 with the encryption key k and restoring the original data d. When the user logs out from the system 1 (including a timeout), the encryption key k held therein is deleted.

  When the form output is requested by the user terminal 7, the form creation device 5 acquires the form format 23 corresponding to the requested form and the safety data d ′ corresponding to the form information search condition for outputting the form. It is a processing means for receiving the stored form data from the server 2 and creating a form.

  Next, an outline of the operation of the system 1 shown in FIG. 1 will be described.

  The concealment policy 21 held in advance by the data concealment / restoration device 4A of the user terminal 7A defines the position of the data (value) to be concealed by the item name of the data input for each screen. It is assumed that the values of item a and item b of data d are set as secret values.

[Processing example of registration information of user A]
First, an example of processing when user A saves registration information in the server 2 will be described.

  When the user terminal 7A transmits the login information of the user A to the encryption key distribution device 3, the encryption key distribution device 3 encrypts and transmits the encryption key k to the user terminal 7A after the authentication of the user A is completed.

  Each item (item a, item b, item c,...) On the information registration screen of the data input / output device (not shown) of the user terminal 7A has a value to be registered (secret a, secret b, plaintext c,...). When input, plain text data d including the input screen name and the input registration information (item a = secret a, item b = secret b, item c = plain text c,...) Is generated.

  Based on the concealment policy 21, the data concealment / restoration device 4A encrypts the concealment a and concealment b of the values a and b of the registration information of the data d with the encryption key k and encrypts the original value. Replaced by the result, “item a = encryption result a (indicated by“ Δ × □ ”” in the figure), item b = encryption result b (indicated by “▽ ○ ◇” in the figure), item c = plaintext c, .. ”Is generated and the safety data d ′ (registration information) is generated, and the safety data d ′ is transmitted to the server 2. The server 2 stores the received safety data d ′ (registration information) as it is.

  When the registration is completed and the user A logs out of the system 1, the data concealment / restoration device 4A deletes the stored encryption key k.

  Thereby, the information to be concealed input by the user A is stored in the server 2 in an encrypted state, and further, since the encryption key k is not stored in the server 2, the information to be concealed is stored in a safer state. Can do. Further, since the encryption key k is held in the user terminal 7A only while the user A is logged into the system 1, the risk of leakage of the encryption key k can be reduced.

[Example of information retrieval process for user A]
Next, an example of processing when user A searches for data registered in the server 2 will be described. Note that the distribution and deletion of the encryption key k at the time of login and logout are the same as those in the above processing example, and thus description thereof is omitted.

  When a value (secret a) is input to an item (item a) indicating a search condition on the information search screen of the data input / output device of the user terminal 7A, the input screen name and the input search condition (item a = secret a) ) Including plaintext data d.

  Based on the concealment policy 21, the data concealment / restoration device 4A encrypts concealment a of the value of the search condition item a of the data d with the encryption key k and replaces the original value with the encryption result “ The secured data d ′ (search condition) in which a part of data “item a = encryption result a (Δ × □)” is concealed is generated and transmitted to the server 2.

  The server 2 searches the secure data d ′ stored using “item a = secret a” in the received secure data d ′ (search condition) as a search key, and searches the corresponding registration information as “item”. a = encryption result a (Δ × □), item b = encryption result b (▽ ○ ◇), item c = plaintext c,... Send to 7A.

  When the user terminal 7 receives the secure data d ′ (search result) from the server 2, the data concealment / restoration device 4A detects the encrypted value from the secure data d ′ (search result), and performs encryption. Data d including the search result “item a = secret a, item b = secret b, item c = plain text c,... Pass to device.

  As a result, the data input / output device displays the decrypted search result on the information search screen.

[Example of processing of user A's form output]
Next, an example of processing when the user A outputs a form of registration information to the server 2 will be described. The distribution and deletion of the encryption key k is the same as in the above two processing examples.

  When a value (secret a) is input to the item (item a) indicating the form information search condition on the form output instruction screen of the data input / output device of the user terminal 7A, the input screen name and the input form information search condition ( Create plain text data d including item a = secret a).

  Based on the concealment policy 21, the data concealment / restoration device 4A encrypts concealment a of the value of the search condition item a of the data d with the encryption key k and replaces the original value with the encryption result “ Secured data d ′ (form information search condition) in which a part of data “item a = encryption result a (Δ × □)” is concealed is generated and transmitted to the server 2.

  The server 2 specifies the form format 23 of the corresponding form from the screen name of the received safety data d '(form information search condition) and transmits it to the user terminal 7A. Further, the server 2 searches for the safety data d ′ stored using “item a = secret a” in the received safety data d ′ (form information search condition) as a search key, and the corresponding information as a search result. “Item a = encryption result a (Δ × □), item b = encryption result b (▽ ○ ◇), item c = plaintext c,...”, And secure data d including the extracted form information '(Form information) is created and transmitted to the user terminal 7A.

  The user terminal 7 receives the form format 23 and the safety data d ′ (form information) from the server 2, and passes the form format 23 to the form creation device 5. The data concealment / restoration device 4A detects the encrypted value from the received secure data d ′ (form information), decrypts it with the encryption key k, and uses “encrypted” item as decrypted processing result information. Data d (form information) including “a = confidential a, item b = confidential b, item c = plain text c,...” is passed to the form creation device.

  As a result, the form creation device 5 creates and outputs a form based on the form format 23 and the restored data d (form information).

[User B's information search processing example]
Next, a case where the user B uses the information of the server 2 registered by the user A will be described.

  Here, it is assumed that the user B has the authority to use all of the registration information of the user A using the system 1 (the authority to distribute the encryption key k).

  When the user terminal 7B transmits the login information of the user B to the encryption key distribution device 3, the encryption key distribution device 3 uses the encryption key k registered in common with the user A after the authentication of the user B is completed. The encrypted data is transmitted to the user terminal 7B.

  Thereby, the user B can use the safety data d ′ stored in the server 2 in a restored state by the same processing as that performed by the user A.

  Note that if the user B does not have the authority to use all of the registration information of the user A and the encryption key k is not distributed, the processing is the same as the third-party processing example described below.

[Third-party information search processing example]
Next, a case where a third party uses information stored in the server 2 will be described.

  Assume that the system 1 permits third-party login to use only the information stored in the server 2 that is not concealed. Further, the third party terminal 8 used by a third party does not have the data concealment / restoration device 4 and the form creation device 5.

  When a value (plain text c) is input to the item (item c) indicating the search condition of the information search screen of the data input / output device of the third party terminal 8, the input screen name and the input search condition (item c = Plain text data d (search condition) including plain text c) is transmitted to the server 2.

  The server 2 searches the secure data d ′ stored using “item c = plaintext c” of the received data d (search condition) as a search key, and sets the corresponding registration information as “item a = encryption”. , A secure data d ′ (search result) including an encrypted result a (Δ × □), item b = encrypted result b (▽ ○ ◇), item c = plaintext c,. Send to.

  When the third party terminal 8 receives the security data d ′ (search result) from the server 2, the data input / output device reads “encryption result a (Δ × □), item b = encryption result b of data d”. The search result “(と い う ○ ◇), item c = plain text c,...” Is displayed.

  The third party acquires data satisfying the search condition from the information stored in the server 2, and displays and uses information about the items of “item c,...” That are not concealed included in the acquired data. can do. When it is desired for a third party to use the information of “item c,...”, The data stored in the server 2 is useful even if the information of the other items a, b is kept secret. Thus, the concealed items a and b of the secure data d ′ transmitted to the third party remain the encrypted values, and the third party uses the encryption key k for decryption. Since it is difficult to obtain, it is possible to use third party data while keeping the information to be kept secret in a safe state.

  Hereinafter, an embodiment of the present invention will be described in more detail.

  FIG. 2 is a diagram illustrating a functional block configuration example of each device constituting the data concealment / restoration system in one embodiment.

  The data storage device (server) 2 is an information processing device including a safety data storage unit 20, a concealment control information storage unit 24, a concealment control information distribution unit 25, and a data registration / creation unit 26. As long as each unit included in the data storage device 2 can be used from the data concealment / restoration device 4, it may be distributed to a plurality of logical or physical information processing devices.

  The safety data storage unit 20 is means for storing safety data d 'that is data obtained by partially concealing information (value) included in the data d.

  The concealment control information storage unit 24 is a means for storing a concealment policy 21 and a concealment dictionary 22 that are concealment control information used for concealment processing and restoration processing in the data concealment / restoration device 4.

  The concealment policy 21 includes information (value) to be concealed or decrypted among information input by the data input / output device 6 for each screen name or form name corresponding to the processing, for example, item name, row / column number. It is the information shown by etc. The value to be concealed is information that is not disclosed to a third party, such as personal information such as name and address.

  The secret dictionary 22 is information indicating a value to be concealed or decrypted among values such as a character string and a numerical value input by the data input / output device 6, an expression format, etc. For example, a character string indicating a person name, a telephone number, This is information indicating the expression format of a numeric string indicating a postal code, a credit card number, or the like.

  The concealment control information distribution unit 25 is means for preliminarily distributing the concealment control information stored in the concealment control information storage unit 24 to the data concealment / restoration device 4 via the network N such as the Internet. When the concealment control information is changed, the concealment control information distribution unit 25 notifies the update by RSS (Rich Site Summary) or the like, and the data concealment / restoration device 4 sends the concealment control information by the update notification. Downloading always provides the latest information. When downloading the concealment control information, encrypted communication such as https is used to prevent falsification of the concealment control information.

  The data registration / creation unit 26 stores the data (data d, safety data d ′) received from the user terminal 7 as it is in the safety data storage unit 20, or the safety data obtained as a processing result. This is means for transmitting the data in the storage unit 20 to the requesting user terminal 7 via the network N as it is.

  The server 2 includes a form format storage unit 27, a form parameter creation unit 281, a form format creation unit 282, and a form data transmission unit 283 as a form creation function.

  The form format storage unit 27 is a means for storing the form format 23 of the form output by the user terminal 7. The form format 23 is information that describes information defining the form expression form in a data format corresponding to the processing program of the form creation device 5 provided in the user terminal 7. The form format storage unit 27 stores a form format 23 created in advance corresponding to the form creation device 5 provided in the user terminal 7. Although not shown, the form format storage unit 27 may be configured as a form format table that associates the form name with the form format 23.

  The form parameter creation unit 281 creates form data based on the safety data d ′ (form information search condition) transmitted from the user terminal 7. Further, a form parameter in which a form name, a corresponding form format, a file name of the form data storing the form information search result, and the like are created as parameters necessary for form creation, and the safety data d ′ (form information search condition) ) To the transmission source user terminal 7.

  The form format creation unit 282 generates the form format 23 by referring to the form format storage unit 27 using the form name of the form parameter, and transmits the form format 23 to the user terminal 7 that is the transmission source of the safety data d ′ (form information search condition). Means.

  The form data transmission unit 283 transmits the form data storing the processing result of the form information search from the file name of the form data of the form parameter received from the form data creation unit 281 as the safety data d ′ (form information). It is means for transmitting to the terminal 7.

  The form data has a form name and a processing result, and the processing result stores a list of output items of the form defined by the form format 23 corresponding to the form name and their values. The output items of the form are associated with the data items stored in the safety data storage unit 20.

  Thereby, when the value of the safety data d ′ obtained by the form information search process is an item that is concealed by the encryption process based on the concealment policy 21, the concealed value is In the case of items other than, plaintext values (values input by the user terminal 7) are stored in the processing result of the form data. Therefore, the value of the part other than the form name of the form data differs every time depending on the processing result of the form information search.

  The user terminal 7 is an information processing device including a data concealment / restoration device 4, a form creation device 5, and a data input / output device 6.

  The data concealment / restoration device 4 includes a concealment control information storage unit 40, an encryption key acquisition unit 41, an encryption key deletion unit 42, a transmission analysis unit 43, a data concealment unit 44, a reception analysis unit 45, a data decryption unit 46, And a data communication unit 47.

  The concealment control information storage unit 40 is means for storing the concealment policy 21 and the concealment dictionary 22 that are concealment control information acquired from the server 2.

  The encryption key acquisition unit 41 is means for acquiring the encryption key k from the encryption key distribution device 3 and storing it in the data concealment / restoration device 4. Since the encryption key acquisition unit 41 transmits the user identification value, password, and encryption key to the encryption key distribution device 3 to obtain the encryption key k, in this example, the user terminal 7 and the encryption key distribution device 3 Is assumed to use an encrypted communication path such as https.

  The encryption key deletion unit 42 is means for deleting the encryption key k stored in the data concealment / restoration device 4 when logging out from the system 1 or when a predetermined time has elapsed. By deleting the encryption key k when the encryption key deletion unit 42 logs out or the like, the risk of leakage or loss of the encryption key from the user terminal 7 is reduced.

  The transmission analysis unit 43 receives data d including information input by the data input / output device 6, analyzes the received data d, and specifies the concealment policy 21 corresponding to the screen name to which the data d is input It is.

  The data d has zero or more sets of the name of the screen on which the data input is executed and the item name of the data input from the screen and the input value. The screen name is, for example, an information registration screen for information registration processing in the server 2, an information search screen for information search processing stored in the server 2, and a form including information stored in the server 2. This is a form creation instruction screen or the like for creation. The input data included in the data d may be associated with values by information specifying the row, column, or range in which the data is input, in addition to the item name.

  The data concealment unit 44 is means for generating the security data d ′ obtained by encrypting a part of the data d based on the concealment control information. The data concealment unit 44 identifies an item to be concealed from the data d based on the concealment policy 21 identified by the transmission analysis unit 43, encrypts the value of the identified item using the encryption key k, A value obtained by combining the encryption identifier indicating the implementation of the encryption and the encryption result (encrypted value) (the concealed value) is set instead of the original value and converted to the secure data d ′.

  Further, the data concealment unit 44, when the value (numerical value, character string, etc.) of the items other than the item to be concealed of the data d matches the expression format defined in the concealment dictionary 22, A value obtained by encrypting with k and combining a predetermined encryption identifier with the encryption processing result (a concealed value) is set instead of the original value.

  The encryption identifier may be information indicating that encryption is performed on the value. For example, the item name to be concealed with a specific expression value added, the item name of the item to be concealed The processing result (encrypted item name) encrypted with the encryption key k may be used. Further, the encryption identifier may be in any form as long as it is given to a value concealed in a manner corresponding to a predetermined method in which the data decryption unit 46 detects the encryption identifier from the secure data. As in this example, the encryption identifier is combined with a predetermined position like the beginning of the encryption processing result, and the encrypted processing result is sandwiched between encryption identifiers of a predetermined dedicated character string. It may be set.

  The data concealment unit 44 adds the encryption identifier to the encrypted value of the data d, so that the data decryption unit 46 encrypts the encrypted data d ′ without referring to the concealment policy 21. Can be detected by the encryption identifier and decrypted appropriately.

  As encryption and decryption processing algorithms performed by the data concealment unit 44 and the data decryption unit 46 described later, for example, a common key encryption method such as AES (Advanced Encryption Standard), Camellia, etc., various encryption methods, values A token method or the like that replaces with a unique token may be adopted.

  The reception analysis unit 45 analyzes the data d or the safety data d ′ received from the server 2 by the decryption method corresponding to the encryption executed by the data concealment unit 44, and the received security data d ′ is the data decryption unit. 46 is a means for notifying 46.

  The data decryption unit 46 is means for decrypting the concealed value included in the security data d ′, converting it into data d having only plaintext values, and passing the converted data d to the data input / output device 6. . The data decryption unit 46 detects the encryption identifier from the value stored in the processing result of the secure data d ′, and excludes the encryption identifier from the value (the concealed value) including the detected encryption identifier. The remaining value is decrypted with the encryption key k, and the value of the decryption process result (plain text) is set as the original value of the item.

  The data communication unit 47 is means for transmitting and receiving various data between the data concealment / restoration device 4 and the server 2 or the encryption key distribution device 3.

  The form creation device 5 is a processing unit including a form format acquisition unit 51, a form data acquisition unit 52, and a form creation unit 53, and is activated by a notification from the form creation instruction unit 63 of the data input / output device 6.

  The form format acquisition unit 51 refers to the form name of the form parameter, sends the form name to the server 2, and acquires the form format 23 transmitted from the server 2. When the form format 23 is transmitted from the server 2 as secured data, the form format 23 decrypted by the data concealment / restoration apparatus 4 is acquired. If the form format acquisition unit 51 has a cache function and has already stored the corresponding form format 23, the form format acquisition unit 51 stores the form without acquiring the form format from the server 2. Format can be used.

  The form data acquisition unit 52 generates the safety data d (form information) created by the server 2 corresponding to the safety data d ′ (form information search condition) including the form information search condition input by the form creation instruction unit 63. ) To obtain the decrypted form data (plain text) that is the result of the form information search process.

  If the data received from the server 2 is data d (form information) that does not include a concealed value, the form data acquisition unit 52 does not go through the processing of the data concealment / restoration device 4 and the plaintext data d (form information) is acquired as form data.

  The form creation unit 53 is a means for creating a form based on the form format 23 and the decrypted form data. The form is data in a predetermined outputable format such as a PDF (Portable Document Format) format.

  The data input / output device 6 of the user terminal 7 accepts the user's data input via the GUI, generates data d including the screen name operated by the user and the data (value) input by the user, and the data concealment / restoration device 4 is a means to pass to 4. The data input / output device 6 includes a login / out processing unit 61, a data registration / search unit 62, and a form creation instruction unit 63.

  The login / out processing unit 61 is means for performing login and logout processing of the system 1. The login / out processing unit 61 transmits login information input by the user to the encryption key distribution apparatus 3 at the time of login, and notifies the data concealment / restoration apparatus 6 of logout at the time of logout.

  The data registration / search unit 62 performs information registration processing in the server 2 and search processing for information stored in the server 2 and receives registration information or search condition data (value) input by the user from a predetermined screen, or It is means for displaying the processing result of the server 2 based on the received data.

  The form creation instructing unit 63 is a means for instructing the form output by the information stored in the server 2. The form creation instructing unit 63 receives a search condition (form information search condition) for information to be output by the user from a predetermined screen, and notifies the form creation apparatus 5 of a form output request.

  In the configuration example shown in FIG. 2, by providing the data concealment / restoration device 4 inside the user terminal 7, the risk of data wiretapping between the data concealment / restoration device 4 and the data input / output device 6 is further reduced. I am doing so.

  FIG. 3 is a diagram illustrating a block configuration example of the encryption key distribution apparatus 3.

  The encryption key distribution device 3 is an information processing device including an authentication information storage unit 30, an encryption key storage unit 31, and an encryption key distribution unit 32.

  The authentication information storage unit 30 is a means for storing user authentication information for distributing the encryption key. The authentication information includes a value for identifying each user (user identification value) and a value (password) that can be input only by the user himself / herself.

  The encryption key storage unit 31 is a means for storing one or a plurality of encryption keys k used by the data concealment / restoration device 4 of the user terminal 7 in association with the user identification information. The encryption key k is information corresponding to a processing algorithm executed by the data concealment / restoration device 4, and is, for example, a common key having a sufficient length in the case of general encryption processing.

  The encryption key distribution unit 32 is a means for transmitting the encryption key k associated with the user to the user terminal 7 of the authenticated user by general communication or encrypted communication when the user authentication is successful.

  The encryption key distribution apparatus 3 is provided in a safe place where access from a third party can be restricted. For example, the encryption key distribution apparatus 3 may be provided in an authentication server that performs user authentication of the system 1. In this case, the encryption key distribution device 3 obtains the authentication information of the user who has been authenticated by the authentication server, and transmits it to the user terminal 7 of the user who has authenticated the corresponding encryption key k. Thereby, the risk of leakage of the encryption key can be reduced.

  The encryption key distribution device 3 includes an information update unit (not shown in FIG. 3). The information update unit registers, changes, and deletes the authentication information and the encryption key information. However, since the information update unit is a general information update process, the description thereof is omitted.

  FIG. 4 is a diagram illustrating an example of the data structure of the anonymity policy 21.

  The concealment policy 21 is set for each screen name or form name displayed on the data input / output device 6, and a definition corresponding to zero or more screen names or form names is described in one concealment policy 21. The definition for each screen name or form name includes a position of zero or more values, for example, an item name, position, or range indicating data (value) to be concealed. The concealment policy 21 may be described in XML or HTML. When the screen is described in HTML, the screen name of the concealment policy 21 corresponds to the URL of the screen, and further has a request or response identification.

  In the example of the anonymization policy 21 shown in FIG. 4, the first description indicates items to be concealed with data d input on the screen whose screen name is “screen 0001”, and “name” and “ The value input in the item “address” indicates that the value is to be concealed.

  The concealment policy 21 may be defined in any format as long as the value to be encrypted can be specified, and there is no special restriction on the relationship between the concealment policy 21 and the data or form format that is the processing result. The definition of the anonymity policy 21 may describe the position or range of the value to be encrypted or decrypted by a row number or column number in a table format when the data d is in the CSV format, for example.

  FIG. 5 is a diagram illustrating a data structure example of the secret dictionary 22.

  The secret dictionary 22 describes the expression format of the character string and the value to be concealed of the data d input by the data input / output device 6 with a regular expression or a simplified regular expression. The secret dictionary 22 includes zero or more predetermined character strings regarded as first and last names and names, and expressions of predetermined number strings regarded as postal codes, telephone numbers, credit card numbers, and the like.

  The secret dictionary 22 shown in FIG. 5 includes a character string indicating a surname such as “Suzuki, Sato,...”, A numerical sequence regarded as a postal code such as “nnnnnnn (n is 0 to 9)” and “nnn-nnnn”. The format defines a format of a number sequence that is regarded as a credit card number such as “nnnnnnnnnnnnnnnnnn” and “nnnn-nnnn-nnnn-nnnn”.

  FIG. 6 is a diagram illustrating a data structure example of the authentication information storage unit 30.

  The authentication information storage unit 30 that stores the authentication information may be configured as an authentication information table as shown in FIG. The authentication information table 30 in FIG. 6 stores the user identification value, password, and encryption key identification value of each user.

  The user identification value is a unique value that identifies a user who can log in to the system 1. The password is a value that can be input only by the user specified by the user identification value. The encryption key identification value is a value for identifying the encryption key k, and the same value may be set for a plurality of users. The password and the encryption key identification value in the authentication information table 30 may be set as encrypted values.

  The data in the top row of the authentication information table 30 shown in FIG. 6 indicates that the password PW1 and the encryption key identification value kID1 are set for the user whose user identification value is “UID1”.

  FIG. 7 is a diagram illustrating a data structure example of the encryption key storage unit 31.

  The encryption key storage unit 31 that stores the encryption key k may be configured as an encryption key table as shown in FIG. 7, for example. The encryption key table 31 stores an encryption key identification value and a corresponding encryption key k.

  The encryption key identification value is a value for identifying the encryption key k, and is a value included in the authentication information in the authentication information storage unit 30. The encryption key k is the value of the encryption key itself used for encryption and decryption processing executed by the concealment / restoration device 4 or original information for generating the encryption key.

  The user authentication value and the encryption key k are associated with each other by the encryption key identification value, and the encryption key k to be distributed to the user is determined.

  FIG. 8 is a diagram illustrating an example of the data d.

  The data d is data input by the user in the data input / output device 6 and is data that is the basis of the safety data d ′ or data obtained by decrypting the safety data d ′ received from the server 2. As the original data of the safety data d ′, data d (registration information) by input on the information registration screen, data d (search condition) by input on the information search screen, and data d (form by input on the form creation instruction screen) (Information search condition) and the like, and data obtained by decrypting the safety data d ′ include data d (search result) and data d (form information).

  Data d has a screen name and a processing result. The screen name is information for identifying the screen on which the user input is made in the data input / output device 6. When the screen is described in HTML, the URL of the header part is the screen name. The processing result is data input or selected by a user operation on the screen, and includes zero or more pairs of item names and values (indicated by [item name = value] in the figure). The item name is information for identifying an item that accepts input of a value provided on the screen, and the value is data input or selected for the corresponding item name.

  FIG. 9 is a diagram illustrating an example of the safety data d ′.

  The safety data d ′ is data created by concealing the data d, and is data stored in the server 2.

  The safety data d 'is data in which a part of the value of the data d is encrypted, and the data structure has a screen name and a processing result, like the data d. The screen name is the screen name of the data d before processing. The processing result is data obtained as a result of processing associated with the screen name, and includes zero or more pairs of item names and values ([item name = value]).

  9 is the data d (registration information) shown in FIG. 8 concealed based on the concealment policy 21 shown in FIG. 4 and the concealment dictionary 22 shown in FIG. As a result of encryption, the values of the two items “name” and “address” to be concealed in the data d shown in FIG. 8 are “encryption identifier = encryption processing” in the secure data d ′ (registration information) in FIG. It is replaced with a concealed value of “result”. Further, the value of “remarks” that matches the expression format defined by the secret dictionary 22 of the data d in FIG. 8 is replaced with a concealed value “encryption identifier = encryption processing result” as a result of encryption. ing.

  The data d and the safety data d 'are described in XML, for example, but there are no restrictions on the data description format.

  FIG. 10 is a diagram illustrating an example of a form parameter.

  The form parameters created by the form parameter creation unit 281 have parameter information such as form name, creation identification, format name, storage location, form file name, and the like necessary for form creation.

  The form name is information for identifying the form associated with the screen name of the form creation instruction. The form name is determined based on the form name included in the form creation instruction transmitted from the form creation instruction unit 63 to the form parameter creation unit 281.

  The creation identification is a value for identifying the form creation process and is unique within the server 2.

  The format name is information for identifying the form format 23 corresponding to the form, and serves as a search key for the form format storage unit 27.

  The storage location is information indicating the storage location of the form data created by the form parameter creation unit 281, and is the file name that the form data acquisition unit 52 requests to send to the form data transmission unit 283, for example, the form data in the server 2. This is the data file name.

  The form file name is the file name of the form created by the user terminal 7.

  FIG. 11 is a diagram illustrating an example of form data.

  The form data created by the form parameter creation unit 281 is data created corresponding to the data d (form information search condition) input on the form creation instruction screen of the user terminal 7, and has a form name and a processing result. .

  The form name is determined based on the form name of the form parameter (the form name included in the form creation instruction transmitted by the form creation instruction unit 63).

  In the processing result, data that is the search result of the secure data storage unit 20 based on the form information search condition included in the data d (form information search condition) of the user terminal 7 is stored, and a pair of item name and value ([ Item name = value]).

  The item name is an output item defined in the form format 23 specified by the form name, and is associated with the item of the safety data d ′ obtained by the search. The value is stored with the value of the item corresponding to the output item of the secure data d ′ obtained by the search as it is, and the value is the value concealed by the data concealment / restoration device 4 or the data input / output It is a value (a plaintext value) input by the device 6.

  FIG. 11A is an example of form data when the safety data d 'is obtained as a result of the form information search. In the processing result of the form data in FIG. 11A, the values of “customer name” and “destination” of the output items are the concealed values (encryption identifiers) of the items “name” and “address” of the corresponding data. = Combination of encryption processing results).

  The form data storing the form information search result in the processing result is transmitted to the user terminal 7 as the safety data d ′ (form information) or data d (form information). In the user terminal 7, the data concealment / restoration device 4 detects and decrypts the concealed value of the received safety data d '(form information) and converts it into plain text data d (form information).

  FIG. 11B is an example of form data in the case of decrypted plaintext data d. In the processing result of the form data in FIG. 11B, the concealed values of “customer name” and “destination” are decrypted in the form data in FIG. Value (plain text).

  The safety data d '(form information) and data d (form information) corresponding to the form data are described in XML, for example, but there is no restriction on the data description format.

  Hereinafter, various processing operations in the system 1 will be described.

  FIG. 12 is a process flow diagram of the encryption key acquisition process.

  When the encryption key acquisition unit 41 of the data concealment / restoration device 4 receives the login information (user identification value and password) input by the user on the login screen from the login / out processing unit 61 of the data input / output device 6 (Step ID). S10), login information is transmitted to the encryption key distribution device 3 (step S11). The processing of the encryption key distribution device 3 that has received the login information will be described later.

  When the encryption key acquisition unit 41 acquires the encryption key k from the encryption key distribution device 3 upon completion of user authentication (Y in step S12), the encryption key acquisition unit 41 uses the acquired encryption key k of the data concealment / restoration device 4 to do so. If the encryption key k is not acquired from the encryption key distribution apparatus 3 due to an authentication failure (N in Step S12), the login / out processing unit 61 is notified of the authentication failure, The login / out processing unit 61 displays an authentication failure (step S14).

  FIG. 13 is a processing flowchart of encryption key distribution processing.

  When receiving the login information from the data input / output device 6 of the user terminal 7 (step S20), the encryption key distribution unit 32 of the encryption key distribution device 3 searches the authentication information storage unit 30 with the user identification value of the login information. (Step S21). When the obtained password is decrypted by a predetermined method and there is authentication information that matches the authentication information storage unit 30 (Y in step S22), the process proceeds to step S23, and when there is no matching authentication information (step S22). N) of S22, the process proceeds to step S28.

  The encryption key distribution unit 32 refers to the encryption key identification value from the matched authentication information (step S23), and decrypts the referenced encryption key identification value by a predetermined method (step S24). Then, the encryption key distribution unit 32 searches the encryption key storage unit 31 with the decrypted encryption key identification value (step S25), and if there is an encryption key corresponding to the decrypted encryption key identification value. (Y in step S26), the encryption key is transmitted to the user terminal 7 (step S27).

  If there is no matching authentication information (N in step S22) or if there is no encryption key corresponding to the encryption key identification value (N in step S26), an authentication failure is transmitted to the user terminal 7 (step S28).

  FIG. 14 is a processing flowchart of data concealment processing including registration information or search conditions.

  The data communication unit 47 of the data concealment / restoration device 4 receives from the data input / output device 6 data d (registration information) including the screen name of the information registration screen of the data registration / search unit 62 and the registration information input by the user on that screen. ) Or the data d (search condition) including the screen name of the information search screen and the search condition input by the user on the screen (step S30), the transmission analysis unit 43 extracts the screen name from the data d ( In step S31), the concealment policy 21 in the concealment control information storage unit 40 is searched with the extracted screen name (step S32). If there is a concealment policy 21 corresponding to the screen name (Y in step S33), the process proceeds to step S34, and if there is no matching concealment policy 21 (N in step S33), the process proceeds to step S39. .

  The data concealment unit 44 extracts one item defined in the concealment policy 21 from the registration information or the search condition stored in the processing result of the data d (Step S34), and encrypts the value of the extracted item. The encryption key k is used for encryption, and the value obtained by combining the encryption result with the encryption identifier (the concealed value) is set as the value of the item (step S35). Further, the data concealment unit 44 encrypts the value corresponding to the character string expression format of the concealment dictionary 22 with the value of the item other than the concealment item of the data d using the encryption key k (step S36). .

  If the process has not been executed up to the last item of the processing result of data d (N in step S37), the process returns to step S35, and if the process has been executed up to the last item (Y in step S37). The process proceeds to step S38.

  If all items set in the concealment policy 21 are not processed in step S38 (N in step S38), the process returns to step S34, and if all concealment items are processed (step S38). Y), the process proceeds to step S39.

  In step S <b> 39, the data communication unit 47 transmits the safety data d ′ (registration information) or the safety data d ′ (search condition) in which a part of the value of the data d is concealed by the data concealment unit 44 to the server 2. To do.

  When it is determined in step S33 that the anonymity policy 21 does not exist, the data concealment unit 44 does not execute the processes in steps S34 to S38, and the data communication unit 47 receives the data from the data input / output device 6. The plain text data d (registration information) or data d (search condition) is sent to the server 2.

  When the server 2 receives the safety data d ′ (registration information) or the data d (registration information) from the user terminal 7, the data registration / creation unit 26 keeps the registration information of the received data as it is. Save to the storage unit 20. As a result, the safety data storage unit 20 stores the safety data d ′ in which some item values are encrypted and the data d in which the item values are not encrypted.

  In addition, when the server receives the safety data d ′ (search condition) or data d (search condition), the data registration / creation unit 26 secures the data search condition item and value pair as a search key. The data storage unit 20 is searched, data matching the search key is extracted, and transmitted to the user terminal 7 as the safety data d ′ (search result) or data d (search result).

  FIG. 15 is a process flow diagram of the decoding process of data received from the data storage device (server) 2.

  When the data communication unit 47 of the data concealment / restoration device 4 receives the secure data d ′ (search result) from the server 2 (step S40), the reception analysis unit 45 includes an encryption identifier in the processing result of the received data. It is determined whether the data is safe data d ′ depending on whether it exists, and notifies data decoding unit 46 (step S41).

  When the data decryption unit 46 detects the encryption identifier from the value of the processing result item of the secure data d ′ (search result) (Y in step S42), the data decryption unit 46 detects the encryption detected from the detected anonymized value. The identifier is removed (step S43), and the remaining value of the concealed value is decrypted using the encryption key k (step S44). If the process has not been executed up to the last item of the process result of the safety data d ′ (N in Step S45), the process returns to Step S42, and if the process has been executed up to the last item (Y in Step S45) ), The data communication unit 47 transmits data d (search result) obtained by decoding the processing result of the safety data d ′ (search result) to the data input / output device 6 (step S46).

  Thereby, the data registration / search unit 62 of the data input / output device 6 can display the secured search result received from the server 2 on the search result display screen in a plain text state.

  FIG. 16 is a process flowchart of the encryption key deletion process.

  When the encryption key deletion unit 42 of the data concealment / restoration device 4 acquires a logout instruction input by the user on the logout screen of the login / out processing unit 61 or detection of a predetermined time (timeout detection) (step S50), the data When the encryption key k exists in the concealment / restoration apparatus 4 (Y in step S51), the encryption key k is deleted (step S52), and when the encryption key k does not exist (in step S51) N) The process is terminated as it is.

  FIG. 17 is a process flow diagram of a form output process for data stored in the data storage device (server).

  The data communication unit 47 of the data concealment / restoration device 4 inputs the screen name of the form creation instruction screen of the form creation instruction unit 63, the form name associated with the screen name, and the user input from the data input / output device 6 When data d (form information search condition) including search conditions for data to be output is acquired (step S60), the transmission analysis unit 43 extracts the form name from the data d (form information search condition) (step S61). The concealment policy 21 in the concealment control information storage unit 40 is searched with the extracted form name (step S62).

  If there is a concealment policy 21 that matches the form name (Y in step S63), the process proceeds to step S64, and if there is no concealment policy 21 (N in step S63), the process proceeds to step S69. .

  The data concealment unit 44 extracts one item defined in the concealment policy 21 from the processing result (form information search condition) of the data d (form information search result) (step S64), and the data d (form information search) The value of the corresponding item of the processing result of (result) is encrypted using the encryption key k, and the value obtained by combining the encryption identifier (the concealed value) before the encryption result (encrypted value) is the item. (Step S65). Further, the data concealment unit 44 uses the value corresponding to the character string expression format of the concealment dictionary 22 in the value of the item other than the item to be concealed in the processing result of the data d (form information search result), and uses the encryption key k. Then, encryption is performed (step S66).

  If the process has not been executed to the end of the item of the processing result of the data d (form information search result) (N in step S67), the process returns to step S65, and if the process has been executed to the end of the item (step Y in S67), the process proceeds to step S68. If it is determined in step S68 that all items in the anonymization policy 21 have not been processed (N in step S68), the process returns to step S64, and if all items to be concealed have been processed (in step S68). Y) Proceed to step S69.

  The data communication unit 47 transmits the safety data d ′ (form information search condition) including the search name for the screen name, form name, and data to be output to the server 2 (step S69).

  FIG. 18 is a process flow diagram of the form information search process of the data storage device (server) 2.

  When the form parameter creation unit 281 of the server 2 receives the safety data d ′ (form information search condition) from the user terminal 7 (step S70), the form parameter creation unit 281 stores the data searched by the form information search condition. Form data to be created is created, the safety data storage unit 20 is searched with the form information search condition (a set of items and values) of the safety data d ′ (form information search condition), and the corresponding data is acquired (step S71). ). Further, the form parameter creation unit 281 stores the data acquired in association with the output item of the form format 23 (the concealed value of the corresponding item) in the form data processing result (step S72). Here, if the data extracted by the form information search condition is the safety data d ′ including the concealed value, the form data processing result stores a pair of the output item and the concealed value, Data is also secured. Further, the form parameter creation unit 281 creates a form parameter including the form name of the safety data d ′ (form information search condition) and transmits it to the user terminal 7 (step S73).

  When the form format creation unit 282 receives the safety data d ′ (form name) from the user terminal 7 (step S74), the form format creation unit 282 searches the form format storage unit 27 by the form name and acquires the form format 23 of the form to be output. And it transmits to the user terminal 7 (step S75).

  When the form data transmission unit 283 receives the safety data d ′ (storage location) from the user terminal 7 (step S76), the form data storing the search result based on the form information search condition is used as the safety data d ′ (form information). To the user terminal 7 (step S77).

  In FIG. 18, each step of the processing flow is illustrated as a series of flows, but in this example, the processing of steps S70 to S73, S74 to S75, and S76 to S77 is respectively performed with the user terminal 7. It is executed as another data communication with the device (server) 2.

  FIG. 19 is a processing flowchart of decryption processing of the safety data (form information) received from the data storage device (server).

  The data communication unit 47 of the data concealment / restoration device 4 receives the form parameter, the form format 23, and the safety data d '(form information) from the server 2 (step S80). The reception analysis unit 45 determines that the form parameter received by detecting the encryption identifier in the received data and the form format 23 are not secure, and sends the form parameter to the form creation instruction unit 63 of the data input / output device 6. The form parameters and the form format 23 are transmitted to the form creation device 5 (step S81).

  The data decrypting unit 46 detects the encryption identifier from the value of the processing result of the safety data d ′ (form information), thereby concealing the value of the processing result of the safety data d ′ (form information). Is determined (step S82).

  When the encryption identifier is detected from the value of the processing result of the secure data d ′ (form information) (Y in step S83), the process proceeds to step S84, and when the encryption identifier is not detected (step S83). N), the process proceeds to step S86.

  The data decryption unit 46 removes the detected encrypted identifier from the detected concealed value (step S84), and decrypts the remaining value of the concealed value using the encryption key k (step S84). S85). If the process has not been executed up to the last item of the process result of the safety data d ′ (N in Step S86), the process returns to Step S83, and if the process has been executed up to the last item (Y in Step S86) The data communication unit 47 transmits data d (form information) obtained by decrypting the processing result of the safety data d ′ (search result) to the form creation device 5 (step S87).

  In addition, when the form format 23 received from the server 2 is secured, the concealed value of the form format 23 is decrypted and converted into plain text by the same process as the process of steps S83 to S86 described above. The form format 23 is transferred to the form creation apparatus 5.

  When unsecured data d (form information) is received from the server 2, the processing of steps S83 to S86 is not executed, and the received data d (form information) is used as it is. Passed to.

  FIG. 20 is a process flow diagram of the form creation process of the form creation apparatus.

  In the form creation device 5 activated by the form creation instruction unit 63, the form format acquisition unit 51 receives data d (form name) based on the form name or format name of the form parameter received from the data storage device (server) 2. Is created and the form format is requested to the data storage device (server) 2 (step S881). When the form format is received from the data storage device (server) 2, it is stored (step S882).

  The form data acquisition unit 52 creates data d (storage location) based on the storage location of the form parameter, requests the form information from the data storage device (server) 2 (step S883), and receives the form information. Is stored (step S884). The form creation unit 53 creates a form using the form file name of the form parameter, the saved form format, and form information (step S885).

  In FIG. 20, each step of the processing flow is illustrated as a series of flows, but the processing of steps S881 to S882 and S883 to S884 in the processing flow is respectively performed by the user terminal 7 and the data storage device (server). It is executed as another data communication with the two.

  Data d created by the form creation device 5 of the user terminal 7 as a request to the data storage device (server) 2, that is, data d (form name) and data d (storage location) 4 is converted to the safety data d ′ and transmitted to the data storage device (server) 2. Similarly, data transmitted from the data storage device (server) 2 in response to a request from the form creation device 5 is similarly received by the user terminal 7 and decrypted by the data concealment / restoration device 4 and delivered to the form creation device 5. It is.

  As another embodiment, the system 1 according to the present invention can take a configuration example different from the block configuration example shown in FIG.

  Next, another embodiment of the present invention will be described.

  FIG. 21 is a diagram illustrating a functional block configuration example of each device constituting the data concealment / restoration system 1 in another embodiment.

  21 having the same numbers as the means shown in FIG. 2 perform the same operation.

  In another embodiment, as shown in FIG. 21, the user terminal 7 includes a plurality of form creation devices 5 ′ that differ for each form. The form creation device 5 ′ previously holds a form format 23 ′ of the form created by itself, and forms based on the form format 23 ′ and a search result (form data) for the form information search condition received from the server 2. A form creation unit 54 is provided.

  Furthermore, the data input / output device 6 includes a form data acquisition unit 64.

  The form data acquisition unit 64 acquires the safety data d ′ (form information) or data d (form information) created by the server 2 based on the form information search condition input to the user by the form creation instruction unit 63. This is means for transmitting the received safety data d ′ (form information) or the like to the form creation device 5 ′ associated with the form name included in the safety data d ′ (form information).

  The form creation instructing unit 63 notifies the form creation device 5 ′ corresponding to the form of activation, and the form creation unit 54 of the notified form creation device 5 ′ receives the data d (form information) that is decrypted from the form data acquisition unit 64. ) And a form (form file) is created based on the form format 23 ′.

  Furthermore, the server 2 does not need to include the form format storage unit 27, the form parameter creation unit 281, the form format creation unit 282, and the form data transmission unit 283 provided in the server 2 illustrated in FIG. The form data creation unit 284 of the server 2 searches the safety data storage unit 20 with the safety data d ′ (form information search condition) transmitted from the user terminal 7, and uses the data obtained by the search as a result of the form data processing. Is sent to the user terminal 7.

  FIG. 22 is a process flow diagram of the form information search process of the data storage device (server) 2 in another embodiment.

  When the form data creation unit 284 of the server 2 receives the safety data d ′ (form information search condition) from the user terminal 7 (step S90), the form information search condition (the form information search condition) of the safety data d ′ (form information search condition) The safety data storage unit 20 is searched by item / value pair) to obtain the corresponding data (step S91).

  Further, the form data creation unit 284 stores the data (items and values) acquired by the search in the processing result of the safety data d ′ (form information) (step S92), and stores the safety data d ′ (form information). It transmits to the user terminal 7 (step S93).

  FIG. 23 is a processing flowchart of decryption processing of the safety data (form information) received from the data storage device (server) 2 in another embodiment.

  When the data communication unit 47 of the data concealment / restoration device 4 receives the security data d ′ (form information) from the server 2, the reception analysis unit 45 receives the security received by detecting the encryption identifier in the received data. The data d ′ (form information) is determined to be concealed and notified to the data decryption unit 46 (step S100).

  The data decrypting unit 46 detects the encryption identifier from the value of the processing result of the safety data d ′ (form information), thereby concealing the value of the processing result of the safety data d ′ (form information). Is determined (step S101).

  When the encryption identifier is detected from the value of the processing result of the security data d ′ (form information) (Y in step S102), the process proceeds to step S103, and when the encryption identifier is not detected (step S102). N), the process proceeds to step S106.

  The data decryption unit 46 removes the detected encryption identifier from the detected concealed value (step S103), and decrypts the remaining concealed value using the encryption key k (step S103). S104). If the process has not been executed up to the last item of the process result of the safety data d ′ (N in Step S105), the process returns to Step S103, and if the process has been executed up to the last item (Y in Step S105) ), The data communication unit 47 transmits the data d (form information) obtained by decoding the processing result of the safety data d ′ (search result) to the form data acquisition unit 64 of the data input / output device 6 (step S106).

  The form data acquisition unit 64 notifies activation to the form creation apparatus 5 ′ corresponding to the form to be created, and transmits the received data d (form information) to the notified form creation apparatus 5 ′ (step S 107).

  The form creation unit 54 of the form creation apparatus 5 'performs a process of creating a form based on the form format 23' and the received data d (form information) (step S108).

  If unsecured data d (form information) is received from the server 2, the processing of steps S102 to S105 is not executed, and the received data d (form information) is directly obtained as form data. Passed to part 64.

  In the above embodiment, the example in which the data concealment / restoration device 4 executes the encryption / decryption algorithm using the common key has been described. However, the data concealment / restoration device 4 replaces the data value with a unique token. Token-type processing for storing correspondence information between tokens and replaced values of data in a database, a file, or the like may be executed.

  In the case of the token method, the data concealment / restoration device 4 generates token authentication information for connecting to the correspondence information of the value replaced with the token in association with the distributed encryption key k.

  FIG. 24 is a diagram illustrating a data structure example of correspondence information when the data concealment / restoration device 4 performs tokenization processing.

  The correspondence information includes a token encrypted with the encryption key k and a replaced value corresponding to the token. The correspondence information is stored as a file or a database.

  When storing the correspondence information in a file format, a file is created for each encryption key k, and the file name is a random character string. The user who can use each file of the correspondence information is the same user as the user of the encryption key k. The file name of the correspondence information is managed by adding the item of the file name of the correspondence information to the encryption key table shown in FIG. 7 and corresponding to the identification value of the encryption key in the same manner as the encryption key k. When the correspondence information is stored in the database, the database user is the same user as the user of the encryption key k.

  In the above embodiment, the data concealment / restoration device 4 is described as a configuration example provided in the user terminal 7. However, the data concealment / restoration device 4 is separated from the user terminal 7 and provided as a proxy device. It may be an example. The data concealment / restoration device 4 provided as a proxy device is connected to one or a plurality of user terminals 7, concealing data d transmitted from each user terminal 7 to the data storage device (server) 2, and data storage Decryption of the safety data d ′ transmitted from the device (server) 2 to each user terminal 7 is performed. When the proxy device is used, communication between the user terminal 7 and the proxy device is encrypted using https or the like.

  FIG. 25 is a diagram illustrating an example of a hardware configuration of each device of the data concealment / restoration system 1.

  A data storage device (server) 2, an encryption key distribution device 3, and a user terminal 7 constituting the system 1 are respectively a processor 101, a memory 102, a storage 103, a portable storage medium drive device 104, an input / output device 105, and a communication. It can be implemented on a computer 100 that includes an interface 106.

  The processor 101 executes a program stored in the storage 103 or a portable storage medium in cooperation with the memory 102 or the storage 103. The processor 101 includes a control unit, an arithmetic unit, an instruction decoder, and the like, and the execution unit performs arithmetic / logic using the arithmetic unit in accordance with a control signal output from the control unit in accordance with an instruction of the program decoded by the instruction decoder. Perform the operation. The processor 101 includes a control register that stores various types of information used for control, a cache that can temporarily store the contents of the accessed memory 102, and a table that functions as a cache of a page table of virtual memory. The processor 101 may have a configuration in which a plurality of CPU (Central Processing Unit) cores are provided.

  The memory 102 is a storage device such as a RAM (Random Access Memory), and is a main memory in which a program executed by the processor 101 is loaded and data used for processing of the processor 101 is stored. The storage 103 is a storage device such as an HDD (Hard Disk Drive) or a flash memory, and stores programs and various data. The portable storage medium driving device 104 is a device that reads data and programs stored in a portable storage medium. The portable storage medium is, for example, a magnetic disk, an optical disk, a magneto-optical disk, or a flash memory.

  The input / output device 105 is a keyboard or the like, a display or the like, receives an operation command by a user operation or the like, and outputs a processing result by the computer 100. The communication interface 106 is a LAN (Local Area Network) card or the like, and performs data communication with the outside. Each component of the computer 100 is connected by a bus 108.

  Note that each storage unit of the data storage device (server) 2, the encryption key distribution device 3 and the user terminal 7 constituting the system 1 described in the above embodiment is any of the memory 102, the storage 103, and the portable storage medium. Or one.

  A program executed by the processor 101 and data to be accessed may be stored in another device that can communicate with the computer 100.

  For example, data stored in the storage unit of the data storage device 2 may be stored in a storage unit included in another device (computer) different from the data storage device 2. In this case, the data storage device 2 and another device are connected to a network so that they can communicate with each other, and the data storage device 2 accesses the storage unit of the other device via the network.

  In addition, the computer 100 can execute each processing unit that realizes the functions of the data storage device 2, the encryption key distribution device 3, the data concealment / restoration device 4, the form creation device 5, and the data input / output device 6 of the system 1. Can be implemented by various programs. In this case, a program describing the processing contents of each of the above processing units is provided, and the computer 100 executes the provided program, so that the function of each processing unit is realized on the computer 100.

  As described above, the present invention has the following effects.

  (1) Data stored in the server can be used effectively. Data (safety data) that is divided into a part that automatically conceals data input by the user and a part that is not concealed is transmitted and stored in the server. As a result, only the information that the user who entered the data does not want to be known by the third party can be concealed from the third party, while the third party is not concealed among the data stored in the server. Partial information can be used.

  (2) By storing the security data on the server, there is a danger in each computer used by the user, for example, data leakage due to loss of the computer body, data leakage due to extraction of the encryption key from the computer, etc. In addition, it is possible to reduce the risk of unavailability of data due to loss of the encryption key used for encryption.

  (3) Providing the user with the operability not to be aware of the execution of the process that partially conceals the data entered by the user or the storage of the data as secure data on the server. Data safety can be improved without causing a burden.

  (4) The safety data stored in the server can be output in a form including a concealed portion and a non-confidential portion.

1 Data concealment / restoration system 2 Data storage device (server)
DESCRIPTION OF SYMBOLS 20 Secured data storage part 21 Concealment policy 22 Confidential dictionary 23 Form format 24 Concealment control information storage part 25 Concealment control information distribution part 26 Data registration / accumulation part 27 Form format storage part 281 Form parameter creation part 282 Form format creation Unit 283 Form data transmission unit 284 Form data creation unit 3 Encryption key distribution device 30 Authentication information storage unit 31 Encryption key storage unit 32 Encryption key distribution unit 4 Data concealment / restoration device 40 Concealment control information storage unit 41 Encryption Key acquisition unit 42 Encryption key deletion unit 43 Transmission analysis unit 44 Data concealment unit 45 Reception analysis unit 46 Data decryption unit 47 Data communication unit 5 Form creation device 51 Form format acquisition unit 52 Form data acquisition unit 53, 54 Form creation unit 6 Data I / O device 61 Login / out processing section 62 Data Registration / Search Unit 63 Form Creation Instruction Unit 64 Form Data Acquisition Unit 7 User terminal device (user terminal)
8 Third-party terminal devices (third-party terminals)

Claims (10)

A concealment control information storage unit that stores concealment control information that specifies a concealment value among values included in the information in association with the screen name;
A transmission analysis unit that receives input information including a screen name and a value input on the screen, and selects concealment control information corresponding to the screen name in which the input information is input from the concealment control information storage unit;
Based on the selected concealment control information, a predetermined encryption is performed for each concealment value included in the input information, and the input information is concealed with a concealment value including the encryption result of the encryption A data concealment unit that generates secure input data with replaced values;
A data communication unit for transmitting the safety input data to a predetermined information processing device and receiving from the information processing device safety result data including a concealed value that is processing result information for the safety input data; ,
A reception analysis unit for detecting the concealed value from the safety result data;
Perform decryption corresponding to the predetermined encryption for each concealed value detected from the security result data, and replace the concealed value of the safety result data with the decrypted value A data concealment / restoration apparatus comprising: a data decoding unit that generates completed process result information and outputs the decrypted process result information. An encryption key acquisition unit for acquiring an encryption key corresponding to a user who inputs a value on the screen from the encryption key distribution device;
An encryption key deletion unit that receives the notification of the end of processing by the user and deletes the encryption key, and the data concealment unit performs encryption using the encryption key as the predetermined encryption,
The data concealment / restoration device according to claim 1, wherein the data decryption unit performs decryption using the encryption key as decryption corresponding to the predetermined encryption. A form creation unit for creating a form based on the form information stored in the information processing apparatus;
The transmission analysis unit accepts a form creation instruction as the input information from the form creation unit,
The data concealment unit generates safety input data for requesting the form information specified in the form creation instruction based on the concealment control information selected by the form name included in the form creation instruction,
The data communication unit transmits the safety information input request for the form information to the information processing apparatus, receives the safety result data of the form information requested by the safety input data from the information processing apparatus,
The data decryption unit performs the decryption for each concealed value detected from the safety result data, generates decrypted form information as the decrypted process result information, and transmits the decrypted form information to the form creation unit,
The data concealment / restoration apparatus according to claim 1 or 2, wherein the form creation unit creates a form based on the decrypted form information and a predetermined form format. The data communication unit receives a form format corresponding to a form name included in the form creation instruction from the information processing apparatus;
The data concealment / restoration device according to claim 3, wherein the data decryption unit transmits the decrypted form information and the form format to the form creation unit. Computer
Accepts input information including the screen name and the value entered on the screen,
The concealment corresponding to the screen name to which the input information is input from the concealment control information storage unit that stores the concealment control information that specifies the concealment value among the values included in the information in association with the screen name. Select control information,
Based on the selected concealment control information, a predetermined encryption is performed for each concealment value included in the input information, and the input information is concealed with a concealment value including the encryption result of the encryption Generate safe input data with the value replaced,
A data concealment method comprising: performing a processing step of transmitting the safety input data to a predetermined information processing apparatus. Computer
A process of the information processing apparatus from the information processing apparatus that stores the stored information in which the value included in the input information is a concealed value including a value at the time of input or a value obtained by performing a predetermined encryption As a result, receiving the safety result data of the stored information,
Detecting the concealed value from the safety result data;
Performing decryption corresponding to the predetermined encryption for each concealed value detected from the safety result data;
The decrypted value is replaced with the concealed value of the security result data to generate decrypted process result information, and the decrypted process result information is output. Data restoration method. On the computer,
Accepts input information including the screen name and the value entered on the screen,
The concealment corresponding to the screen name to which the input information is input from the concealment control information storage unit that stores the concealment control information that specifies the concealment value among the values included in the information in association with the screen name. Select control information,
Based on the selected concealment control information, a predetermined encryption is performed for each concealment value included in the input information, and the input information is concealed with a concealment value including the encryption result of the encryption Generate safe input data with the value replaced,
A data concealment program characterized by causing the secure input data to be transmitted to a predetermined information processing apparatus and executing a process. On the computer,
From the information processing apparatus that stores the secure input data in which the value included in the input information is a concealed value including the value at the time of input or the value of the encryption result obtained by performing the predetermined encryption, the information processing apparatus Receiving the safety result data of the stored information as the processing result of
Detecting the concealed value from the safety result data;
Performing decryption corresponding to the predetermined encryption for each concealed value detected from the safety result data;
Data for generating a decrypted process result information by replacing the concealed value of the security result data with the decrypted value, and outputting the decrypted process result information Restore program. A data concealment / restoration system in which a user terminal used by a user, a data storage device that stores input information transmitted from the user terminal, and an encryption key distribution device are connected to each other,
The data storage device includes:
Safety data for storing stored information which is information received from the user terminal and whose included value is a concealed value including a value at the time of input or a value of an encryption result obtained by performing predetermined encryption A storage unit;
A data processing unit for transmitting the stored information extracted based on the input information received from the user terminal from the safety data storage unit to the user terminal as safety result data,
The user terminal is
A concealment control information storage unit that stores concealment control information that specifies a concealment value among values included in the information in association with the screen name;
A data input / output device that displays a screen and accepts input of values, and displays processing result information transmitted from the data storage device on the screen;
An encryption key acquisition unit for acquiring an encryption key from the encryption key distribution device;
Accepts input information including a screen name and a value input on the screen from the data input / output device, and selects concealment control information corresponding to the screen name to which the input information is input from the concealment control information storage unit A transmission analysis unit;
Encryption is performed using the encryption key for each value to be concealed included in the input information based on the selected concealment control information, and the input with the concealed value including the encryption result of the encryption A data concealment unit that generates secure input data by replacing the information concealment value;
A data communication unit for transmitting the safety input data to a predetermined information processing device and receiving the safety result data from the information processing device;
A reception analysis unit for detecting the concealed value from the safety result data;
Perform decryption using the encryption key for each concealed value detected from the securement result data, and replace the concealed value of the securement result data with the decrypted value. A data decoding unit that generates processing result information and outputs the decoded processing result information to the data input / output device;
An encryption key deletion unit that receives a notification of processing end from the data input / output device and deletes the encryption key;
The encryption key distribution device includes:
A storage unit for storing correspondence information between a user who inputs data at the data input / output device and an encryption key to be distributed;
A data concealment / restoration system comprising: an encryption key distribution unit that transmits an encryption key corresponding to the user to the user terminal based on the correspondence information. A form creation device that outputs a form using form information stored in an information processing apparatus connected via a network,
A form creation instruction including a form name is transmitted to the information processing apparatus, and the included value is a concealed value including a value at the time of input or an encrypted result obtained by performing predetermined encryption. A form data acquisition unit that receives safety data of form information corresponding to the form creation instruction from the information processing apparatus that stores the safety data;
Perform decryption corresponding to the predetermined encryption for each concealed value detected from the safety result data, and replace the concealed value of the safety data of the form information with the decrypted value A data decryption unit for generating decrypted form information,
A form format acquisition unit for acquiring a form format corresponding to the form name included in the form creation instruction from the information processing apparatus storing the form format corresponding to the form name;
A form creation apparatus comprising: a form data creation unit that creates a form based on the decrypted form information and the form format.

Images